GLITCH is a technology-agnostic framework that enables automated detection of IaC smells and, via InfraFix, interactive repair of infrastructure code. GLITCH allows polyglot smell detection by transforming IaC scripts into an intermediate representation, on which different smell detectors can be defined. GLITCH currently supports the detection of nine different security smells [1, 2] and nine design & implementation smells [3] in scripts written in Puppet, Ansible, Chef or Terraform.
"GLITCH: Automated Polyglot Security Smell Detection in Infrastructure as Code" is the main paper that describes the implementation of security smells in GLITCH. It also presents a large-scale empirical study that analyzes security smells on three large datasets containing 196,755 IaC scripts and 12,281,251 LOC.
If you use GLITCH or any of its datasets, please cite:
- Nuno Saavedra and João F. Ferreira. 2022. GLITCH: Automated Polyglot Security Smell Detection in Infrastructure as Code. In 37th IEEE/ACM International Conference on Automated Software Engineering (ASE ’22), October 10–14, 2022, Rochester, MI, USA. ACM, New York NY, USA, 12 pages. https://doi.org/10.1145/3551349.3556945
@inproceedings{saavedraferreira22glitch,
title={{GLITCH}: Automated Polyglot Security Smell Detection in Infrastructure as Code},
author={Saavedra, Nuno and Ferreira, Jo{\~a}o F},
booktitle={Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering},
year={2022}
}
- Nuno Saavedra, João Gonçalves, Miguel Henriques, João F. Ferreira, Alexandra Mendes. 2023. Polyglot Code Smell Detection for Infrastructure as Code with GLITCH. In 38th IEEE/ACM International Conference on Automated Software Engineering (ASE '23), September 11-15, 2023, Luxembourg. https://doi.org/10.1109/ASE56229.2023.00162
@inproceedings{saavedra23glitchdemo,
author={Saavedra, Nuno and Gonçalves, João and Henriques, Miguel and Ferreira, João F. and Mendes, Alexandra},
booktitle={2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE)},
title={Polyglot Code Smell Detection for Infrastructure as Code with GLITCH},
year={2023},
pages={2042-2045},
doi={10.1109/ASE56229.2023.00162}
}
To install run:
python -m pip install -e .
To use the tool for Chef you also need Ruby and its Ripper package installed.
To install GLITCH using Poetry, run:
poetry install
Some smell checks (design and security) are implemented in Rego. To use these checks, you need the appropriate Rego binary for your platform.
Download the binary for your platform from the Rego Python release.
Available binaries:
| Platform | Architecture | Binary Name |
|---|---|---|
| Linux | x86_64/amd64 | librego-linux-amd64.so |
| Linux | arm64 | librego-linux-arm64.so |
| macOS | Intel (x86_64) | librego-darwin-amd64.dylib |
| macOS | Apple Silicon | librego-darwin-arm64.dylib |
| Windows | x86_64/amd64 | librego-windows-amd64.dll |
After downloading, place the binary in:
glitch/rego/rego_python/src/rego_python/bin/
If you need a binary not listed above or prefer to build from source, you need Go installed.
cd glitch/rego/rego_python/src/rego_python/go
# Set your target OS and architecture
OS=linux # Options: linux, darwin, windows
ARCH=amd64 # Options: amd64, arm64
# Determine file extension
if [ "$OS" = "windows" ]; then
EXT="dll"
elif [ "$OS" = "darwin" ]; then
EXT="dylib"
else
EXT="so"
fi
GOOS=$OS GOARCH=$ARCH go build -o "../bin/librego-$OS-$ARCH.$EXT" -buildmode=c-shared regolib.goTo verify the Rego binary is correctly installed, run:
python -c "from glitch.rego.rego_python.src.rego_python import run_rego; print('Rego is working!')"WARNING: For now, the GLITCH VSCode extension does not function if GLITCH is installed via Poetry. Since Poetry uses virtual environments it does not create a binary for GLITCH available in the user's PATH, which is required for the VSCode extension.
You can build a docker image running:
docker build -t glitch .Please read usage > Docker
To explore all available options, use the command:
glitch lint --help
To analyze a file or folder and retrieve CSV results, use the following command:
glitch lint --tech (chef|puppet|ansible|terraform) --csv --config PATH_TO_CONFIG PATH_TO_FILE_OR_FOLDER
If you want to consider the module structure you can add the flag --module.
If GLITCH was installed using Poetry, execute GLITCH commands as follows:
poetry run glitch lint --help
Alternatively, you can use poetry shell:
poetry shell
glitch lint --help
GLITCH includes InfraFix, an interactive repair pipeline that synthesizes technology-agnostic patches for Infrastructure as Code. InfraFix observes runtime filesystem effects (via strace-based tracing), compiles IaC into a Delta-P intermediate representation, and uses a Z3-backed solver to produce candidate patches that can be applied back to the original scripts. The repair module is invoked via the infrafix subcommand:
glitch infrafix --tech <TECH> PATH_TO_IAC PID
PATH_TO_IAC is the file containing the IaC script to repair; PID is the process ID of the running shell or process to trace (InfraFix uses strace to observe filesystem effects).
If you use InfraFix, please cite:
@inproceedings{saavedra2025infrafix,
title={InfraFix: Technology-Agnostic Repair of Infrastructure as Code},
author={Saavedra, Nuno and Ferreira, Jo{\~a}o F and Mendes, Alexandra},
booktitle={Proceedings of the 34th ACM SIGSOFT International Symposium on Software Testing and Analysis},
pages={41--45},
year={2025}
}
Please read install > docker first
Use docker run glitch [OPTIONS] PATH [OUTPUT]
Examples:
docker run --rm glitch --help
docker run --rm -v /Users/user/.../project:/glitch:ro glitch --tech terraform .To run the tests for GLITCH run the following command:
poetry run pytest -s
New configs can be created with the same structure as the ones found in the folder configs.
More information can be found in GLITCH's documentation.
GLITCH has a Visual Studio Code extension which is available here.
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.
Please make sure to update tests as appropriate.
[1] Rahman, A., Parnin, C., & Williams, L. (2019, May). The seven sins: Security smells in infrastructure as code scripts. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE) (pp. 164-175). IEEE.
[2] Rahman, A., Rahman, M. R., Parnin, C., & Williams, L. (2021). Security smells in ansible and chef scripts: A replication study. ACM Transactions on Software Engineering and Methodology (TOSEM), 30(1), 1-31.
[3] Schwarz, J., Steffens, A., & Lichter, H. (2018, September). Code smells in infrastructure as code. In 2018 11th International Conference on the Quality of Information and Communications Technology (QUATIC) (pp. 220-228). IEEE.